'[security-onion] Re: SO sensor placement'

[prev in list] [next in list] [prev in thread] [next in thread] 

List:       security-onion
Subject:    [security-onion] Re: SO sensor placement
From:       "in... () friendandfamilytech ! com" <info () friendandfamilytech ! com>
Date:       2021-03-23 12:40:12
Message-ID: 7ec1f7af-bfbd-4b39-8370-57b55b107cccn () googlegroups ! com
[Download RAW message or body]

[Attachment #2 (multipart/alternative)]


Hey Ben, you're absolutely right.  Although there might be some use cases 
for analyzing traffic that hits the outside of your firewall, unless you 
have a very large budget, and a security team with a lot of time on their 
hands, you'll spend a lot of time weeding through alerts.  You might be 
able to satisfy your colleagues by just ingesting firewall logs into SO 
through syslog (or json if possible).  If you configure the firewall to log 
packets dropped at the firewall, you'll have a pretty good idea on how much 
data you would need to handle if you wanted a sensor on the outside (and 
then decide to not put a sensor outside your firewall).

Good luck,



Kevin

On Tuesday, March 23, 2021 at 4:29:58 AM UTC-4 Ben wrote:

> Hello!
> 
> I have a discussion ongoing if it makes sense to place a sensor in front 
> of our perimeter firewall to monitor everything that is hitting on our 
> network from the outside. I'm not a big fan of this approach and argue, 
> that we already know that the Internet is a bad place out there and we are 
> running SO to detect intrusions and not to document all sorts of attacks to 
> get a weather report regarding attack activity. I want to place different 
> sensors behind the perimeter firewall to monitor different network segments.
> 
> I fear tons of alarms that we will see in SO, which are actually no 
> threats, since the firewall will take care of them. Is there a right or 
> wrong to this question? Are there best practices regarding the placement of 
> sensors?
> 
> Any feedback is highly appreciated. Thanks in advance!
> 
> Cheers, Ben.
> 

-- 
Please keep in mind that Security Onion 16.04 reaches End Of Life soon!
https://blog.securityonion.net/2020/10/6-month-eol-notice-for-security-onion.html
--- 
You received this message because you are subscribed to the Google Groups \
"security-onion" group. To unsubscribe from this group and stop receiving emails from \
it, send an email to security-onion+unsubscribe@googlegroups.com. To view this \
discussion on the web visit \
https://groups.google.com/d/msgid/security-onion/7ec1f7af-bfbd-4b39-8370-57b55b107cccn%40googlegroups.com.



[Attachment #5 (text/html)]

<div>Hey Ben, you're absolutely right.&nbsp; Although there might be some use cases \
for analyzing traffic that hits the outside of your firewall, unless you have a very \
large budget, and a security team with a lot of time on their hands, you'll spend a \
lot of time weeding through alerts.&nbsp; You might be able to satisfy your \
colleagues by just ingesting firewall logs into SO through syslog (or json if \
possible).&nbsp; If you configure the firewall to log packets dropped at the \
firewall, you'll have a pretty good idea on how much data you would need to handle if \
you wanted a sensor on the outside (and then decide to not put a sensor outside your \
firewall).</div><div><br></div><div>Good \
luck,</div><div><br></div><div><br></div><div><br></div><div>Kevin<br></div><br><div \
class="gmail_quote"><div dir="auto" class="gmail_attr">On Tuesday, March 23, 2021 at \
4:29:58 AM UTC-4 Ben wrote:<br/></div><blockquote class="gmail_quote" style="margin: \
0 0 0 0.8ex; border-left: 1px solid rgb(204, 204, 204); padding-left: \
1ex;">Hello!<div><br></div><div>I have a discussion ongoing if it makes sense to \
place a sensor in front of our perimeter firewall to monitor everything that is \
hitting on our network from the outside. I&#39;m not a big fan of this approach and \
argue, that we already know that the Internet is a bad place out there and we are \
running SO to detect intrusions and not to document all sorts of attacks to get a \
weather report regarding attack activity. I want to place different sensors behind \
the perimeter firewall to monitor different network \
segments.</div><div><br></div><div>I fear tons of alarms that we will see in SO, \
which are actually no threats, since the firewall will take care of them. Is there a \
right or wrong to this question? Are there best practices regarding the placement of \
sensors?</div><div><br></div><div>Any feedback is highly appreciated. Thanks in \
advance!</div><div><br></div><div>Cheers, Ben.</div></blockquote></div>

<p></p>

-- <br />
Please keep in mind that Security Onion 16.04 reaches End Of Life soon!<br />
<a href="https://blog.securityonion.net/2020/10/6-month-eol-notice-for-security-onion. \
html">https://blog.securityonion.net/2020/10/6-month-eol-notice-for-security-onion.html</a><br \
                />
--- <br />
You received this message because you are subscribed to the Google Groups \
&quot;security-onion&quot; group.<br /> To unsubscribe from this group and stop \
receiving emails from it, send an email to <a \
href="mailto:security-onion+unsubscribe@googlegroups.com">security-onion+unsubscribe@googlegroups.com</a>.<br \
/> To view this discussion on the web visit <a \
href="https://groups.google.com/d/msgid/security-onion/7ec1f7af-bfbd-4b39-8370-57b55b1 \
07cccn%40googlegroups.com?utm_medium=email&utm_source=footer">https://groups.google.co \
m/d/msgid/security-onion/7ec1f7af-bfbd-4b39-8370-57b55b107cccn%40googlegroups.com</a>.<br \
/>



[prev in list] [next in list] [prev in thread] [next in thread]
Configure | About | News | Add a list | Sponsored by KoreLogic